Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-22336 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-27 |
| Vendor | WordPress |
| Product | Directorist Booking (plugin) |
| CVSS Score | 9.3 (critical) |
| EPSS Score | 0.0% (percentile: 9%) |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Directorist Booking allows SQL Injection. This issue affects Directorist Booking from n/a before 3.0.2. By exploiting this flaw, an attacker can read, modify, or delete data in the WordPress database hosting the vulnerable site.
Required Actions
Update the Directorist Booking plugin to version 3.0.2 or later in the WordPress admin panel immediately. Until updated, consider temporarily disabling the plugin, take a database backup, review logs for suspicious SQL queries, and deploy a WAF (e.g., Wordfence, Sucuri) with SQLi protection rules.
Who Is Affected?
This vulnerability affects the Directorist Booking plugin for WordPress at versions earlier than 3.0.2. Check whether your WordPress site uses this plugin (a Directorist booking add-on) and update without delay.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
